Sonatype acquires MuseDev, expands Nexus code analysis platform


Sonatype acquires MuseDev, expands Nexus code analysis platform

 

 

 

March 16, 2023 - Sonatype, which provides tools for developers to build better quality software, has acquired code analysis platform MuseDev. The acquisition adds developer-friendly code scanning to Sonatype’s platform to create a “full-spectrum” software supply chain management platform, company CEO Wayne Jackson said.

 

Modern software development is less about developers writing every single line of code and more about them assembling different components with their own code. This means third-party code is almost always present in an application, and there are multiple ways for bugs to be introduced into the code. Developers have to test their own code to make sure there are no bugs and regularly verify the building blocks don't contain issues that could affect their applications.

 

Sonatype makes tools to help developers manage the various building blocks and alerts developers of potential issues that need to be fixed. Historically, Sonatype has focused on scanning open source software for security vulnerabilities and on keeping risky components out of the application, Jackson said. Sonatype's tools have helped identify security vulnerabilities in code the developers didn't write, but that could still impact their application.

 

“As developers take on more responsibility for containers, code, and infrastructure, our mission is to make their lives easier while they make great software,” Jackson said. The way to help “developers optimize the code they write is by delivering directly to the toolchain.”

 

MuseDev's code analysis platform scans the source code for more than security vulnerabilities. The static analysis tool emphasizes code quality and can identify critical performance and reliability issues in the code, as well as whether there are style issues the could hamper the code's maintainability.

 

Developers don't want security vulnerabilities in their code, but “they also don't want to get paged in the middle of the night because the application was failing” due to performance issues, MuseDev CEO Stephen Magill told VentureBeat.

 

Muse is pretuned to minimize false-positive results to ensure developers are receiving information about issues that matter the most, which helps developers work more efficiently and write better quality code. “As enterprises look to push their development teams to work faster, it becomes imperative to find ways to help developers to move more quickly by automating crucial but time-consuming tasks like code analysis,” RedMonk principal analyst Stephen O'Grady told VentureBeat.

 

The acquisition of MuseDev expands the breadth and depth of Sonatype's Nexus platform because the combination of Muse — a cloud-native source code analysis tool — with Sonatype's existing tools gives developers more control over their code.

 

Nexus Container is a developer-friendly container security solution that provides continuous visibility into the composition and management of containers from development to run time. The Infrastructure as Code Pack provides guidance to assist developers in configuring cloud infrastructure and ensuring they are compliant with privacy and security standards such as CIS Foundations Benchmarks, GDPR, and HIPAA.

 

Developers will be able to use Sonatype's expanded platform for all application building blocks, which include first-party source code, third-party open source code, infrastructure-as-code, and containerized code.

 

“With high-profile attacks on software supply chains making headlines the world over, enterprises are moving to harden their development infrastructure against attackers . As important as the task is, however, technology leaders don't want to solve this problem with a complicated patchwork quilt of services, solutions and providers — they want an integrated, end-to-end solution,” O'Grady said.

 

This kind of integrated code analysis is something enterprises are asking for as they adopt DevOps practices to build and release better quality code and accelerate their digital transformation efforts to improve speed and efficiency. This acquisition and platform expansion positions Sonatype very well among companies that offer various forms of code analysis and scanning, including Checkmarx, Contrast Security, Micro Focus Fortify, Snyk , Synopsys, Veracode, and WhiteSource.

 

The company has been growing tremendously over the past year. It now counts 70% of the Fortune 100 as customers, supporting more than 2,000 commercial engineering teams. And 12 out of the 15 of the world's largest banks use Sonatype's tools, Jackson said. Other customers include various branches of the United States Armed Forces, credit card companies, and technology companies. There are more than 250,000 instances of Nexus Repositories, which translates to nearly 15 million developers using Sonatype's commercial and open source tools. Private equity and venture capital firm Vista Equity Partners made a majority investment in Sonatype back in 2019 — acquiring more than 50%. Jackson suggested the company could see a potential IPO with the current pace of growth.

 

Most of the enterprises using Sonatype's tools are not technology companies in the traditional sense. There are financial services organizations with more developers in-house working on internal applications and proprietary tools than companies such as Apple and eBay, Jackson said. Those enterprises are looking at the entire software development lifecycle, which means they care about things other than security vulnerabilities when considering the health of their applications, such as project and release hygiene, Jackson said.

 

“Why should [developers] pick a project that hasn't been updated in years or has bad commit history?” Jackson said.

 

Sonatype solutions are available in Romania through Simple IT, Sonatype Partner in Romania.

 

 

About Simple IT

 

SIMPLE IT is a distributor for software solutions and hardware appliances, adding value with consulting, training, implementation, configuration and support services, backed by certified specialists, in order to offer the best IT experience to customers and partners. For more information, please visit www.simpleit.com.ro.